Answered by:

Custom STS & Azure ACS error ACS50008: Invalid SAML token.

Question

I have a custom STS implementation. Currently it is configured as an additional identity provider on Azure ACS. I have a relying party website that is authenticating
successfully via ACS (Windows Live, Google, etc). However, whenever I try to login using my custom STS I always get the Error 401.

All replies

Does your STS work with any other RP's? Have you tried going directly from your STS to your app?

The particular error you are receiving isn't very helpful because it could be caused by a few things. By the sounds of it the token received either has bad XML or it isn't signed, or it's missing a few key pieces. Can you run a test and show us the token
as it crosses the wire using something like Fiddler?

Please use fiddler to look into the response returned by ACS. Are you able to see other error description besides the ACS5008? Please post the response here.

If there is no additional useful information one possible reason is the time of the client mismatches the time of ACS, namely
NotBefore below is a time in future when looked by ACS.

<saml:ConditionsNotBefore="2012-02-13T18:14:17.081Z"NotOnOrAfter="2012-02-13T19:14:17.081Z">
If that's the case you may try to set lifetime to (now - a buffer time such as 5 mins) to now + 1 hour, for instance.

it seems you got a point so I checked all the dates and made the a small time shift there just in case. Unfortunately I still get the same error as before. Maybe I am missing something here so here is what I got this time: